I do not think they made built in vulns to the site...My guess would be it checks your input string against a list of possible answers, then stores that you completed that step of the mission in a cookie.

Logically approaching a possible SQL injectin attack requires testing assumptions of what the sql statement looks like in the code. My assumtion seems validated by some input and countered by other input which after a good 30-45 minutes at it, left me feeling like I was searching more for a magical string rather than working towards a solution by a sequence of sql queries each providing additional information to build a proper string required for the attack.

In retrospect it appears this is not in the appropriate forum. My apologies. Please move if needed.

It sure as heck doesn't go up against a real DB. For example, if you use certain commands in certain missions, such as basic 8 I believe, it says "If you are trying to use type of command, you're on the right track, but disabled certain queries for security issues." or a similar message. They filter out all vulns, and add what strings *would* have worked.

Most of the missions test for a magical regex string. A regex of all possible working strings. While it may have worked a realistic environment the strings you tried may have actually caused a different flaw, one that can not be tested in a secure envrio.